Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Cause the NSA ain't providing code, bandwidth, or servers to scale the system to millions of users. Google and Facebook have the knowledge and resources to actually do it, if they want.

But yeah, its a pretty dumb hope. They don't want you to have any anonymity as it is.

I think it would be cool if some one were to design a cryptocurrency wherein the proof of work was somehow related to the number of connections proxies. So mining would actually be providing anonymity to those who needed it and their would be an incentive to provide service. However that trick of providing indisputable proof of work, while not reveling the traffic or inbound/outbound connections might be a bit tricky to get right.

OTOH, Skype and Bittorrent had successful models for scaling up: People were configured by default to add their bandwidth to the pool. In bittorrent's case, your throughput suffered if you were stingy about contributing.

I2P is probably the closest networking layer [geti2p.net] there is to combining the goals of Tor with the methods of Skype and bittorrent. It is both highly decentralized and onion-like, and has been steadily improving for well over a decade now. If you happen to have a TAILS dis

It's a matter of your history. Who'd you trust your child to? A babysitter who spent hundreds of hours and has hundreds of people vouching for her or that scary looking hobo at the corner? Who'd you trust your privacy with? An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on?

Seriously I'm all for conspiracy FUD, but this seems legit. Who says everyone is in agreement on the same team? It's project where the code is visible to be scrutinized. This means that whoever is submitting back code is submitting good bug fixes. TOR developers aren't morons.

I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA – But this friend has an independent mind and concience (he is not a NSA person, just an outside contractor). I know for a fact he also has worked voluntarily to make the world a better place (i.e. with the "good guys").I guess my friend is not the only such analyst. If people like him can sell their work and (in full or in part) leak part of his findings to the underground, privacy-m

He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

"Here's some bugs we've fixed for you guys. Trust us."

Oh yeah, because the current debug team we can trust so much...

There are two parts.. * Here is the bug.
* Here is a bug fix.

The first has a lot of value in an open source community.The second if taken with blind faith is a potential disaster.

As a pair the time window for attack can be reduced.

Gifts from the NSA are an interesting thing... Some might be triggeredbecause they have evidence that others have knowledge of theflaw and are exploiting it. As the need for human intelligencegrows the need for secure communication increa

Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government? Or that they cooperate with the EFF, and run ChillingEffects to make people aware of draconian DMCA takedowns?

Everyone's so eager to lynch the one big corporate ally that OSS / privacy advocates have.

Google, Facebook, and the NSA government are nothing more than competing Panopticons. They all want as much of your personal information as they can collect, and they all want to keep it as long as they can.

If one of these organizations is legally battling the other, then you can be sure it is because they feel they should more of your data than the other, not because of a moral imperative.

Google has lost ~1.2 billion customers by their actions in China. They are no longer accessible from mainland china (since May) and VPNs generally work very poorly there."Big whoop" that they've lost access to 20% of potential customers and the largest emerging market, right?

It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM. And regardless of the value and quantity of OSS contributions and support, definitely don't make the mistake of thinking that "Google" and "privacy" belong in the same sentence unless it has "doesn't do much to ensure" between those 2 words.

It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM.

Erm, IBM is like a prostitute or a mercenary, no real principles concerning the situation at hand (so to speak). Google appears to make decisions based on principles and reality. How well Google follows those principles is a matter for debate.

Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government?

What are you talking about? Google pretty much capitulated to the Chinese government on all fronts a couple years ago.

Do some DuckDuckGo'ing if you don't believe me. I'd suggest not searching for this using Google, since using that engine for this seems to bury some of the less favorable stories - the ones at the top are the ones that use language refer to Google "reluctantly" giving in.

But in any case there have been multiple instances over the past several years where Google has made noise about standing

Google pretty much capitulated to the Chinese government on all fronts a couple years ago.

In 2006, yes (as did Yahoo and Microsoft, a few years earlier). As of 2009, the relationship between the two has become highly antagonistic, with Google refusing to cooperate, and actively undermining the GFW / censorship net in many cases.

Thats why you cant actually visit google.com in China from the mainland these days.

Tor needs a PR boost if that ever is going to happen. As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.

No big company is ever going to touch Tor as it stands right now, because of its reputation as a service for criminals (q.q.v. Four Horsemen of the Infocalypse.)

As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application

And there's plenty of reasons to do so. There's a reason that companies have firewalls that block outgoing connections as well as incoming. Or would you rather they allowed traffic from anonymous internet sources to route through their networks?

Home users are a different story, but I don't see why most corps would want to allow TOR. They have enough i

It's not just about companies. I haven't used Tor despite my interest in the project because I don't think a court would understand if illegal traffic came from my home internet connection despite me running Tor. Most courts hold the account holder responsible for traffic on their network.

If that happens, then everyone who needs to go on swapping terrorist plans or child porn images will move to some new shaky little service. IP over carrier pigeons? Stegged vacation snapshots? Direct-beamed lasers? Lather, rinse, repeat.

Timeo Danaos et dona ferentes.
"I fear the Greeks, even though they bear gifts." I believe is the line.
It could also be rendered as "I fear the Greeks, especially because they bear gifts," as well.
Either way.

Remember, the NSA is the group that originally gave us Tor. If I was one of the original developers, and I took pride in my work - it is likely I would continue to help the project improve, even if my employer had changed focus.

Also, remember that the NSA is not just one huge monolithic group with only one task on their plate. I find it easy to believe that some folks there question the wisdom of attempting to cripple security (such as they seem to have done with the elliptic curve ciphers). Plus code breakers and cryptographers are, in general, going to be working at cross purposes - it's the nature of their jobs.

Incorrect. Onion routing was originally created at the U.S. Naval Research Lab as a way to provide independent, real-time, and bi-directional anonymous connections that are resistant to both eavesdropping and traffic analysis. Tor is the 3rd design of said project, which was originally started in 1996.

I have no idea when the NSA started using onion routing, but I know for a fact that they did not create it.

"You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software."

Come on... NSA undoubtedly has highly developed automated tools for identifying flaws source code, or at least rating the probability of a flaw existing within any section of code so that analysts can focus t

SELinux is a good stab at that. While not 100%, it has helped ensure that a program that manages to get a root context still doesn't have full superuser reign over the system. It isn't simple, but it does a good job at security over previous tools like SUID wrappers.

I wouldn't mind a code review of web browsers and browser add-ons, as those are the first points of contact and generally a primary vehicle for malware to get a foothold.

Despite all their Orwellian, unconstitutional acts of treason against the American public, I'm sure the NSA is also still continuing to perform counterintelligence against foreign threats (e.g. the Chinese) like they're supposed to.

It depends on the US or UK mission. If the US gov wants to support some NGO doing a Colour revolution http://en.wikipedia.org/wiki/C... [wikipedia.org] then the communications and support has to work well over years.
For every other use of online anonymity the US and UK would like to have a way in as now understood with most of the tame telco and banking crypto over decades.
e.g. NSA surveillance: A guide to staying secure http://www.theguardian.com/wor... [theguardian.com] (6 September 2013)
the classic line "... have invested in enormo

Isn't TOR partially funded by the government? And also used by government agents? It would be really awkward if one of the "let's overthow this government that America doesn't like" movements hidden by TOR traced back to government agents.

Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

I think the NSA encourages TOR use, to be honest - they used to, or still run, one of the largest set of exit nodes, for the sole purpose of monitoring traffic. (Most Tor users don't really care about the private tor stuff, they just want their "anonymous facebook" and "anonymous G+" without gubmint spying)

While I love and appreciate Tor as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places Tor. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the Tor network expands the list of exit nodes remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.

If you are using a well know framework for your site there might already be support for comment spam management. It's not always free as some of them are basically interfaces for a paid service but it may still be worth a look. They would block comment spam in general instead of focusing on comments from a specific set of nodes.

While I love and appreciate IPV6 as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places IPV6. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the IPV6 network expands the list of proxies remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.

FTFY.

In both cases, we're shooting the messenger. And yes, I regularly see IPV6 proxies being blocked, probably for these reasons.

Nah this is just Sony Electronics wanting to leverage their entertainment holdings to sell TVs and PLayers with proprietaty formats while Sony Entertainment wants to maximize sales. Or maybe I got it backward. Anyhow lots of diversified companies have internal conflicts. The IBM PC which uses all non-IBM parts was not made by the primary Computer division at IBM. Samsung also has internal competition with conflicting objectives,

I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.

If you RTFA you'll see that Lewman has zero evidence for this assertion. The headline paints it as a statement of fact but in reality all Lewman knows is there are people who appear to be reading the source code and reporting bugs anonymously. That's it. They could be NSA/GCHQ moles. Or, more likely, they could be anonymity fans who like security audit work. They really have no idea.

Do you think it's possible that they are also ferreting out the paths an actual mole's information would go through?

However, I think what you say is NOT the reason, because it would mean that the NSA was a crafty and well run organization, with intelligent (yet evil) people at the top, and loyal workers doing their bidding.

An underling wouldn't just DECIDE to reveal this information if they were loyal. And someone at the top would have to be clever and understand a bit of tech to make the order.

1) The White Hats are being brazen because they know that the political appointees are not savvy enough to turn them in.

2) The White Hats are foolish, because looking at the type of exploits in Tor revealed would quickly narrow the list of mole suspects.

I seriously doubt #2 is the answer based on the type of person who would find these bugs. So it gives me hope that the "Geeks" are a separate class from the "Suits" and the suits as usual are arrogant political appo

On the other hand if you're a Tor developer interested in disrupting the NSA unit assigned to hack your system why not just say you receive regular leaks from the NSA unit assigned to hack your system.

The NSA has two directives that often conflict with each other:1) Protect communications that are critical to our nation's security. This is mostly military/government comms, but they have a role in securing banking and other civilian networks. An example of what comes from this side of the NSA is SELinux - which is now heavily used by Android to provide additional security against malware.2) Compromise and monitor the communications of our enemies. These guys overstepping their bounds are what has been routinely making the news lately.

While I can't see an obvious reason for the guys in category 1 to want to strengthen Tor, it's possible. (Potentially on behalf of another agency... Think in terms of Tor's use by Chinese dissidents.)

I'm fairly certain the people in categories 1 and 2 don't get along with each other. While in theory their goals should not conflict (one focuses on our enemies, one focuses on strengthening friendlies), the truth is that it's hard for the guys in category 1 to strengthen friends without also making those tools available to our enemies - and the guys in category 2 are routinely overstepping their bounds and attacking friendlies.

Are you sure those are (the) two official NSA directives? They almost can't be, for 2. can entirely be seen as a subset of 1.

Other than that, they (or you?) have a very loose way of using 'our' in 'our nation's security' and 'our enemies'. Do you, personally,
consider yourself among 'our' as used here? Not to be personal -- but I am almost certain they do not count you among the 'our'; you see, the NSA's true objective is to protect those of ultimate wealth and power in the US against those without weal

Dual missions and attracting the next generations to gov, mil work and onion routing.
From collect it all reality to 'help' spread democracy branding.
If US backed dissidents face a new range of telco tools that are just been sold to govs, better to help developers stay one step ahead.
If a new range of telco tools used by the US govs to collect it all are just been upgraded, better to give developers some busy work for a few years.
Both options need clean social engineering access to real people to shape s

I've heard that Tor was initiated by three-letter government agencies in the first place, and that the last thing they want to do is shut it down or ruin the anonymity it gives it's users, because they're using it in their own operations to start with. Compromising it would inevitably lead to their own enemies getting their hands on the exploits, and ultimately on their own operatives, so why wouldn't they have a covert program of improving the overall security of Tor? Now, on the other hand, I wouldn't at

NSA doesn't give a rip. Their job is to get into Tor. If they find out military or CIA secrets it is not a problem because they are on the same side. Ideally, they'd find exploits or put them in and patch it for the military's client only... but their primary goal is to get themselves in, secondary goal is to help the other agencies (so they are not going to publicly give Tor patches... or if they do decide that is more important, do you think they would be public about it? I would think they would purpo

If by "three-letter government agencies" you mean the USN, specifically the Office of Naval Research, then you're correct. But most people in the US call the USN "the Navy", so there are some extra letters.

Doesn't this make peoples PC open and vulnerable to viruses/malware and are they not also one of the bad guys, making me have to pay a yearly fee to my antivirus provider? Can we sue the NSA for part of what we have been paying all theses years for viruses THEY released??

"He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users."
What the hell? Then he doesn't know how Tor works. If a large entity controls a ton of the entry and exit nodes, they can traffic match and identify users. The LAST thing we need is a giant entity ruining it by adding millions of servers.